Case tests limits of post-Snowden privacy

Microsoft is resisting a U.S. warrant to turn over computer files stored in Ireland. | Getty

Documents from the megaleaker showed that, in foreign intelligence investigations, the NSA was able to obtain by court order, or sometimes just steal, the decrypt keys from technology companies storing cloud data using traditional encryption. With one company’s key, the agency can decrypt data from all its customers.

Domestically, the FBI also has the authority to order a company storing encrypted data to turn over the key. Just such a subpoena last year caused Snowden’s email provider, Lavabit, which used traditional encryption, to shutter itself, rather than hand over the key to all its users’ data.

Text Size

But with client-side encryption, each customer has their own key and a warrant or subpoena would have to be served on them individually, which is difficult if they are abroad.

Microsoft competitor HP is one of the largest players to jump into the zero-knowledge market so far.

The company is touting its new Atalla cloud, launched last month, as a system that can protect data both from the prying eyes of NSA and from a Microsoft-like or Lavabit-like warrant no matter where it is stored.

“This is very specifically focused around the idea of data sovereignty, of companies owning their data,” HP security division Senior Vice President Art Gilliland said.

If the initial Microsoft ruling stands, Gilliland said, zero knowledge encryption may be one of the few ways for the U.S. to remain competitive in the global market for cloud services against other nations that interpret the scope of their legal authority more narrowly.

Chris Soghoian, a senior policy analyst with the American Civil Liberties Union, said offering more client-side encryption was one way U.S. tech companies could try to repair the damage that Snowden did to their reputation.

“It may be too little too late, but the only thing that can stop the bleeding is cryptography,” he said, noting that the German government recently canceled a Verizon contract out of concern it would aid NSA efforts to listen in on government phone calls.

There’s also a concern among companies that if the U.S. government prevails against Microsoft, other governments could make similar claims.

“I think all reputable companies would say they’re not averse to complying with lawful demands,” said former senior FBI official Michael Vatis.

“They just think there should be legal limits,” added Vatis, now a Steptoe & Johnson attorney who wrote Verizon’s friend of the court brief in the Microsoft case. “Otherwise we just have a free for all where we have governments trying to say they can access information no matter where it’s stored in the world so long as they serve an order on some business in their country.”

A new legal regime

Some law enforcement officials have long been concerned that encryption and other new technology is frustrating their ability to investigate terrorism, drug and child trafficking and organized crime.

CALEA, the 1994 Communications Assistance for Law Enforcement Act, required cellphone providers to build their systems so law enforcement has the technical ability to tap into them with a warrant, but the law has been outpaced by new technology, say federal officials.

Despite the Federal Communications Commission expanding its interpretation of CALEA to include voice over Internet protocol, or VoIP, communication during the Bush administration, the FBI complained to Congress in 2011 that smart criminals were “going dark” by relying on email, social networking and other systems that weren’t built to allow surveillance.

Going dark “is shorthand for what will national security and law enforcement agencies do if the bad guys figure out some new technology that law enforcement cannot surveil and part of that has been encryption,” one former Justice official said.

Proposals to expand CALEA to other Internet communication have been sidelined for the time being by the Snowden revelations, and it’s unlikely proposals to expand surveillance will gain much political traction anytime soon. But in the long term, the politics of law enforcement on Capitol Hill makes Congress friendly territory for surveillance advocates.

“The nightmare scenario is a little girl has been abducted and she’s going to be raped and police can’t find her because foreign parties refuse to turn over their keys,” Thaw said, describing an extreme hypothetical case of “going dark.”

“You can see Congress trying to pass a law to make it very difficult for that to happen.”